SQL injection (also known as SQL fishing) is a
technique often used to attack data driven applications.

This is done by including portions of SQL
statements in an entry field in an attempt to get the website to pass a
newly formed rogue SQL command to the database (e.g., dump the database
contents to the attacker). SQL injection is a code injection technique that
exploits a security vulnerability in an application's software.

The vulnerability happens when user input is
either incorrectly filtered for string literal escape characters embedded in
SQL statements or user input is not strongly typed and unexpectedly
executed. SQL injection is mostly known as an attack vector for websites but
can be used to attack any type of SQL database.

As a condition of your use of this Web
site, you warrant to computersecuritystudent.com that you will not use
this Web site for any purpose that is unlawful or
that is prohibited by these terms, conditions, and notices.

In accordance with UCC § 2-316, this
product is provided with "no warranties, either express or implied." The
information contained is provided "as-is", with "no guarantee of
merchantability."

In addition, this is a teaching website
that does not condone malicious behavior of
any kind.

You are on notice, that continuing
and/or using this lab outside your "own" test environment
is considered
malicious and is against the law.

A single quote (')
is a reserved SQL character that breaks the below query by
placing it in the Name textbox. The mere fact
that the query produces an error means their is a strong possibility
that the backend program is susceptible to a SQL Injection.

SELECT * FROM accounts WHERE
username='''
AND password=''

Below is an example of a normal query

SELECT * FROM accounts WHERE
username='admin'
AND password='adminpass'

Search for username that is either equal to
nothing OR where 1 is equal to 1. So, we created a condition that
is always true (OR 1=1). The "--
" string is a comment in SQL. We used this trick to comment
out the rest of the SQL query (AND password=''), which eliminates that
password authentication.

SELECT * FROM accounts WHERE username=''
or 1=1-- ' AND password=''

Verifying Results (Got Admin?)

Note(FYI):

Notice you are logged in as admin.
Due to Mutillidae's code design, we are logged in as admin, because
admin is the first user in accounts table.

In
DVWA, as similar string
(%' or
'0'='0'-- ) displays the entire list of application users due
to its' code design.

Logout of Session

Instructions:

Click Logout (See Picture)

Section 9: SQL
Injection: Single Quote Test On Password Field

Inspect Password Box Element

Instructions:

Click Login/Register

Name: samurai

Password: Right Click

Click the Inspect Element

Edit Password Box Element

Instructions:

Replace the string "password" with the
word "text"

Minimize Firebug

Single Quote (') Test

Instructions:

Name: samurai

Place a single quote (')
in the Password Text Box (See Picture)

Click the Login Button

Note(FYI):

Notice the Password textbox is no
longer obfuscated and is now in plaintext.

After you click the Login button you
will receive some errors.

Analyze Single Quote (')
Results

Note(FYI):

A single quote (')
is a reserved SQL character that breaks the below query by
placing it in the Password textbox. The mere
fact that the query produces an error means their is a strong
possibility that the backend program is susceptible to a SQL
Injection.

SELECT * FROM accounts WHERE
username='samurai' and password='''

Below is an example of a normal query

SELECT * FROM accounts WHERE
username='samurai'
AND password='samurai'

Notice that the mysql shell continues
to the next line, meaning the statement is broken, which produced
the errors seen in (Section 8, Step 2). To get back to the
mysql shell, we have to complete the statement with a (
';
).

The second query is an example (Section
9, Step 1). The ' or 1=1
produces an always true condition, and the ; --
comments/disables the
"and password clause.

The first query is an example of
(Section 10, Step 3). Do to the code design of Mutillidae only
one result is displayed in the application. However, running
this query directly in mysql will yield all records.

The second query is an example (Section
11, Step 3). The ' or (1=1
and username = 'samurai'); --
produces an always true condition, and the ; --
comments/disables the "and
password clause